InfoSec LAB

bullyBox_Web

Created: 4 min read

Web

Nmap discovered a Web server on the target port 80 The running service is Apache httpd 2.4.52 ((Ubuntu))

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/bullybox]
└─$ curl -I -X OPTIONS http://$IP/
HTTP/1.1 200 OK
Date: Mon, 31 Mar 2025 16:21:52 GMT
Server: Apache/2.4.52 (Ubuntu)
Allow: GET,POST,OPTIONS,HEAD
Content-Length: 0
Content-Type: text/html
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/bullybox]
└─$ curl -i http://$IP/
HTTP/1.1 200 OK
Date: Mon, 31 Mar 2025 16:22:42 GMT
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Tue, 27 Jun 2023 04:35:09 GMT
ETag: "47-5ff14fe0675bb"
Accept-Ranges: bytes
Content-Length: 71
Vary: Accept-Encoding
Content-Type: text/html
 
<script>
    window.location.href = "http://bullybox.local/"
</script>

Pointing to a domain; bullybox.local

The domain information has been appended to the /etc/hosts file on Kali for local DNS resolution

Webroot It’s an instance of BoxBilling

BoxBilling is an open source billing and client management software Source code is available for review

Admin Page

The admin page is located at /bb-admin endpoint No credential is known at this time.

Version Information

The version is 4.22-beta.1.5

Vulnerabilities

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/bullybox]
└─$ searchsploit boxbilling 4.22
-------------------------------------------------------- ---------------------------------
 Exploit Title                                          |  Path
-------------------------------------------------------- ---------------------------------
BoxBilling<=4.22.1.5 - Remote Code Execution (RCE)      | php/webapps/51108.txt
-------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

The target BoxBilling instance suffers from an authenticated RCE exploit; CVE-2022-3552

Fuzzing

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/bullybox]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://bullybox.local/FUZZ -ic -e .txt,.html,.php -fs 3971 -fc 403
 
        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       
 
       v2.1.0-dev
________________________________________________
 
 :: Method           : GET
 :: URL              : http://bullybox.local/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Extensions       : .txt .html .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 403
 :: Filter           : Response size: 3971
________________________________________________
 
.git                    [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 119ms]
LICENSE                 [Status: 200, Size: 11346, Words: 2514, Lines: 203, Duration: 159ms]
about-us                [Status: 200, Size: 9436, Words: 3100, Lines: 210, Duration: 214ms]
balance                 [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 21ms]
bb-admin.txt            [Status: 200, Size: 4029, Words: 1593, Lines: 4, Duration: 26ms]
bb-admin.html           [Status: 200, Size: 4031, Words: 1593, Lines: 4, Duration: 26ms]
bb-admin                [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 28ms]
bb-admin.php            [Status: 200, Size: 4029, Words: 1593, Lines: 4, Duration: 18ms]
blog                    [Status: 200, Size: 10663, Words: 3398, Lines: 236, Duration: 271ms]
cart                    [Status: 200, Size: 9299, Words: 3074, Lines: 242, Duration: 266ms]
client                  [Status: 302, Size: 3994, Words: 1590, Lines: 4, Duration: 36ms]
contact-us              [Status: 200, Size: 11039, Words: 4205, Lines: 282, Duration: 204ms]
dashboard               [Status: 302, Size: 13538, Words: 5730, Lines: 375, Duration: 92ms]
email                   [Status: 302, Size: 8976, Words: 3239, Lines: 221, Duration: 104ms]
emails                  [Status: 302, Size: 8976, Words: 3239, Lines: 221, Duration: 80ms]
example                 [Status: 200, Size: 4185, Words: 1602, Lines: 4, Duration: 88ms]
forum                   [Status: 200, Size: 9808, Words: 3682, Lines: 234, Duration: 121ms]
index.php               [Status: 200, Size: 10462, Words: 3564, Lines: 265, Duration: 230ms]
invoice                 [Status: 302, Size: 9558, Words: 3532, Lines: 238, Duration: 123ms]
kb                      [Status: 200, Size: 9522, Words: 3267, Lines: 222, Duration: 158ms]
login                   [Status: 200, Size: 14605, Words: 6197, Lines: 350, Duration: 108ms]
me                      [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 23ms]
news                    [Status: 200, Size: 10663, Words: 3398, Lines: 236, Duration: 240ms]
order                   [Status: 200, Size: 12532, Words: 4220, Lines: 302, Duration: 251ms]
privacy-policy          [Status: 200, Size: 10669, Words: 3276, Lines: 216, Duration: 226ms]
rb.php                  [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 25ms]
reset-password          [Status: 200, Size: 9393, Words: 3256, Lines: 226, Duration: 248ms]
robots.txt              [Status: 200, Size: 716, Words: 77, Lines: 21, Duration: 26ms]
robots.txt              [Status: 200, Size: 716, Words: 77, Lines: 21, Duration: 21ms]
service                 [Status: 302, Size: 9188, Words: 3322, Lines: 229, Duration: 162ms]
sitemap.xml             [Status: 200, Size: 1719, Words: 295, Lines: 54, Duration: 106ms]
support                 [Status: 302, Size: 11285, Words: 4118, Lines: 294, Duration: 217ms]
tos                     [Status: 200, Size: 10263, Words: 3224, Lines: 210, Duration: 164ms]
:: Progress: [81912/81912] :: Job [1/1] :: 190 req/sec :: Duration: [0:05:15] :: Errors: 0 ::

.git directory discovered

.git directory

403 as expected. Dumping the repository using git-dumper

Virtual Host / Sub-domain Discovery

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/bullybox]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.bullybox.local' -ic -mc all -fs 71
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.154.27/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.bullybox.local
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: all
 :: Filter           : Response size: 71
________________________________________________
:: Progress: [114437/114437] :: Job [1/1] :: 1851 req/sec :: Duration: [0:01:15] :: Errors: 0 ::

N/A

Interactive Graph View

Backlinks